kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "XuCongying (Jira)" <j...@apache.org>
Subject [jira] [Created] (KYLIN-4393) There are several CVEs in the project dependencies
Date Sun, 01 Mar 2020 12:24:00 GMT
XuCongying created KYLIN-4393:
---------------------------------

             Summary: There are several CVEs in the project dependencies
                 Key: KYLIN-4393
                 URL: https://issues.apache.org/jira/browse/KYLIN-4393
             Project: Kylin
          Issue Type: Bug
            Reporter: XuCongying


Hi~ I noticed some of your libraries contained CVEs. I suggest updating their versions to
increase the security of your project. The following is a detailed content.
 
Vulnerable Library Version: org.scala-lang : scala-compiler : 2.11.0
  CVE ID: [CVE-2017-15288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15288)
  Import Path: engine-flink/pom.xml, kylin-it/pom.xml, engine-spark/pom.xml
  Suggested Safe Versions: 2.11.12, 2.12.10, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.12.8, 2.12.9,
2.13.0, 2.13.0-M1, 2.13.0-M2, 2.13.0-M3, 2.13.0-M3-f73b161, 2.13.0-M4, 2.13.0-M4-pre-20d3c21,
2.13.0-M5, 2.13.0-M5-1775dba, 2.13.0-M5-5eef812, 2.13.0-M5-6e0cba7, 2.13.0-RC1, 2.13.0-RC2,
2.13.0-RC3, 2.13.1

 Vulnerable Library Version: org.apache.tomcat : tomcat-catalina : 7.0.91
  CVE ID: [CVE-2016-8735](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735), [CVE-2019-0232](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232),
[CVE-2016-6794](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794), [CVE-2016-6816](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816),
[CVE-2016-8745](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745), [CVE-2019-17563](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563)
  Import Path: tomcat-ext/pom.xml, server/pom.xml, server-base/pom.xml
  Suggested Safe Versions: 10.0.0-M1, 7.0.100, 9.0.30, 9.0.31

 Vulnerable Library Version: com.h2database : h2 : 1.4.196
  CVE ID: [CVE-2018-10054](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054),
[CVE-2018-14335](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335)
  Import Path: server/pom.xml, kylin-it/pom.xml, source-jdbc/pom.xml, source-hive/pom.xml,
datasource-sdk/pom.xml
  Suggested Safe Versions: 1.4.198, 1.4.199, 1.4.200

 Vulnerable Library Version: com.google.guava : guava : 14.0
  CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
  Import Path: core-storage/pom.xml, stream-receiver/pom.xml, server/pom.xml, core-cube/pom.xml,
core-metadata/pom.xml, jdbc/pom.xml, tool-assembly/pom.xml, core-metrics/pom.xml
  Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android,
25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android,
27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre

 Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-core : 1.2.1
  CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
  Import Path: metrics-reporter-hive/pom.xml, assembly/pom.xml, server/pom.xml, kylin-it/pom.xml,
source-jdbc/pom.xml, source-hive/pom.xml, server-base/pom.xml
  Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2,
2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
 
Vulnerable Library Version: org.apache.spark : spark-core_2.11 : 2.3.2
  CVE ID: [CVE-2017-7678](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7678), [CVE-2018-3826](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3826),
[CVE-2018-11770](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11770), [CVE-2019-10099](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10099)
  Import Path: server/pom.xml, kylin-it/pom.xml, engine-spark/pom.xml, storage-hbase/pom.xml
  Suggested Safe Versions: 2.4.5
 
Vulnerable Library Version: org.apache.kafka : kafka_2.11 : 1.0.0
  CVE ID: [CVE-2018-1288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288), [CVE-2019-17196](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17196)
  Import Path: assembly/pom.xml, source-kafka/pom.xml, kylin-it/pom.xml, stream-source-kafka/pom.xml,
metrics-reporter-kafka/pom.xml
  Suggested Safe Versions: 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0
 
Vulnerable Library Version: org.apache.hive : hive-jdbc : 1.2.1
  CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521),
[CVE-2018-1282](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1282)
  Import Path: server/pom.xml, source-jdbc/pom.xml, source-hive/pom.xml
  Suggested Safe Versions: 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
 
Vulnerable Library Version: org.apache.hadoop : hadoop-hdfs : 2.7.1
  CVE ID: [CVE-2016-5001](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5001), [CVE-2018-11768](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11768)
  Import Path: metrics-reporter-hive/pom.xml, assembly/pom.xml, stream-core/pom.xml, stream-receiver/pom.xml,
server/pom.xml, kylin-it/pom.xml, engine-mr/pom.xml, storage-hbase/pom.xml
  Suggested Safe Versions: 2.10.0, 2.8.5, 2.9.2, 3.1.2, 3.1.3, 3.2.0, 3.2.1
 
Vulnerable Library Version: org.springframework : spring-core : 4.3.10.RELEASE
  CVE ID: [CVE-2018-1272](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272)
  Import Path: tool/pom.xml
  Suggested Safe Versions: 4.3.15.RELEASE, 4.3.16.RELEASE, 4.3.17.RELEASE, 4.3.18.RELEASE,
4.3.19.RELEASE, 4.3.20.RELEASE, 4.3.21.RELEASE, 4.3.22.RELEASE, 4.3.23.RELEASE, 4.3.24.RELEASE,
4.3.25.RELEASE, 4.3.26.RELEASE, 5.0.10.RELEASE, 5.0.11.RELEASE, 5.0.12.RELEASE, 5.0.13.RELEASE,
5.0.14.RELEASE, 5.0.15.RELEASE, 5.0.16.RELEASE, 5.0.5.RELEASE, 5.0.6.RELEASE, 5.0.7.RELEASE,
5.0.8.RELEASE, 5.0.9.RELEASE, 5.1.0.RELEASE, 5.1.1.RELEASE, 5.1.10.RELEASE, 5.1.11.RELEASE,
5.1.12.RELEASE, 5.1.13.RELEASE, 5.1.2.RELEASE, 5.1.3.RELEASE, 5.1.4.RELEASE, 5.1.5.RELEASE,
5.1.6.RELEASE, 5.1.7.RELEASE, 5.1.8.RELEASE, 5.1.9.RELEASE, 5.2.0.RELEASE, 5.2.1.RELEASE,
5.2.2.RELEASE, 5.2.3.RELEASE
 Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind : 2.9.5
  CVE ID: [CVE-2019-16335](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335),
[CVE-2019-12814](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814), [CVE-2018-19362](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362),
[CVE-2018-19360](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360), [CVE-2019-14439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439),
[CVE-2019-16943](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943), [CVE-2019-14379](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379),
[CVE-2019-14540](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540), [CVE-2019-17267](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267),
[CVE-2018-12023](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023), [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840),
[CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330), [CVE-2019-12384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384),
[CVE-2019-12086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086), [CVE-2018-14720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720),
[CVE-2018-14721](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721), [CVE-2018-14719](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719),
[CVE-2019-17531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531), [CVE-2018-14718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718),
[CVE-2018-11307](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307), [CVE-2018-19361](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361),
[CVE-2019-16942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942)
  Import Path: core-common/pom.xml, stream-receiver/pom.xml
  Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3

 Vulnerable Library Version: org.springframework.security : spring-security-core : 4.2.3.RELEASE
  CVE ID: [CVE-2019-3795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3795), [CVE-2019-11272](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11272)
  Import Path: stream-receiver/pom.xml
  Suggested Safe Versions: 4.2.13.RELEASE, 4.2.14.RELEASE, 5.0.12.RELEASE, 5.0.13.RELEASE,
5.0.14.RELEASE, 5.1.5.RELEASE, 5.1.6.RELEASE, 5.1.7.RELEASE, 5.1.8.RELEASE, 5.2.0.RELEASE,
5.2.1.RELEASE, 5.2.2.RELEASE
 
Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.7.1
  CVE ID: [CVE-2016-5393](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5393), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009),
[CVE-2016-6811](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811), [CVE-2017-15718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15718),
[CVE-2016-3086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3086), [CVE-2017-15713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713),
[CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029)
  Import Path: core-storage/pom.xml, tomcat-ext/pom.xml...(The rest of the 33 paths is hidden.)
  Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
 
Vulnerable Library Version: org.apache.httpcomponents : httpclient : 4.2.5
  CVE ID: [CVE-2014-3577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577), [CVE-2015-5262](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5262)
  Import Path: core-common/pom.xml, jdbc/pom.xml
  Suggested Safe Versions: 4.3.6, 4.4, 4.4-alpha1, 4.4-beta1, 4.4.1, 4.5, 4.5.1, 4.5.10, 4.5.11,
4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.5.9
 
Vulnerable Library Version: org.springframework : spring-webmvc : 4.3.10.RELEASE
  CVE ID: [CVE-2018-15756](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756),
[CVE-2018-1271](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271), [CVE-2018-1199](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199)
  Import Path: stream-receiver/pom.xml, server-base/pom.xml
  Suggested Safe Versions: 4.3.20.RELEASE, 4.3.21.RELEASE, 4.3.22.RELEASE, 4.3.23.RELEASE,
4.3.24.RELEASE, 4.3.25.RELEASE, 4.3.26.RELEASE, 5.0.16.RELEASE, 5.1.13.RELEASE, 5.2.3.RELEASE
 
Vulnerable Library Version: org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.1
  CVE ID: [CVE-2017-3166](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166)
  Import Path: engine-flink/pom.xml, server/pom.xml, kylin-it/pom.xml, engine-mr/pom.xml
  Suggested Safe Versions: 2.10.0, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3,
2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 3.0.0-alpha4, 3.0.0-beta1, 3.0.1, 3.0.2, 3.0.3, 3.1.0,
3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
 
Vulnerable Library Version: org.apache.commons : commons-compress : 1.18
  CVE ID: [CVE-2019-12402](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402)
  Import Path: core-common/pom.xml
  Suggested Safe Versions: 1.19, 1.20
 
Vulnerable Library Version: org.eclipse.jetty : jetty-server : 9.3.22.v20171030
  CVE ID: [CVE-2017-7656](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656), [CVE-2019-10247](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247),
[CVE-2017-7657](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657), [CVE-2017-7658](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658),
[CVE-2018-12536](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536)
  Import Path: stream-receiver/pom.xml, server/pom.xml, server-base/pom.xml
  Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429,
9.4.19.v20190610, 9.4.20.v20190813, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117
 
Vulnerable Library Version: mysql : mysql-connector-java : 5.1.8
  CVE ID: [CVE-2019-2692](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2692), [CVE-2017-3523](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3523),
[CVE-2017-3589](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589)
  Import Path: core-common/pom.xml, server/pom.xml, kylin-it/pom.xml
  Suggested Safe Versions: 8.0.16, 8.0.17, 8.0.18, 8.0.19

 Vulnerable Library Version: org.postgresql : postgresql : 42.1.1
  CVE ID: [CVE-2018-10936](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10936)
  Import Path: datasource-sdk/pom.xml
  Suggested Safe Versions: 42.2.10, 42.2.10.jre6, 42.2.10.jre7, 42.2.5, 42.2.5.jre6, 42.2.5.jre7,
42.2.6, 42.2.6.jre6, 42.2.6.jre7, 42.2.7, 42.2.7.jre6, 42.2.7.jre7, 42.2.8, 42.2.8.jre6, 42.2.8.jre7,
42.2.9, 42.2.9.jre6, 42.2.9.jre7
 
Vulnerable Library Version: xerces : xercesImpl : 2.11.0
  CVE ID: [CVE-2012-0881](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881), [CVE-2013-4002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002)
  Import Path: kylin-it/pom.xml
  Suggested Safe Versions: 2.12.0




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message